CVE-2026-28508 CRITICAL

CVE-2026-28508: Idno: Unauthenticated SSRF via URL Unfurl Endpoint

Vendor Idno
Product idno
Weakness CWE-918 · SSRF
Published March 6, 2026
Last update March 6, 2026
View on NVD All CVEs

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-40632 Linkerd potential access to the shutdown endpoint CVE-2026-6616 TransformerOptimus SuperAGI WebScraperTool webpage_extractor.py extract_with_lxml server-side request forgery CVE-2026-32301 Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL CVE-2024-6095 SSRF and Partial LFI in /models/apply Endpoint in mudler/localai CVE-2025-11128 Feedzy RSS Feeds Lite <= 5.1.0 - Authenticated (Subscriber+) Server-Side Request Forgery